Conclusion

There-fore more reference platforms for evaluating novel approaches for ATI like the test-bed in section 5.2.2 are needed.

This research thesis aimed to answer the general question: How can a previously unknown attack on a distributed Industrial Information and Automation Tech-nology Infrastructure be detected? Chapter 2 showed the available countermea-sures for securing Information Technology (IT) infrastructures and especially its counterparts in ATIs. Based on analyzing this research the focus was formulated in chapter 3, where a general answer can be given: Anomaly Detection. The related work presented in the same chapter showed the challenges for operators to secure their infrastructures in practice. Detailed research questions arose:

ˆ What would a sound and practice-oriented concept for detecting unknown attacks look like?

In chapter 4 such a concept was developed using the methodology elabo-rated within the same chapter. Following requirements from practice this concept can be utilized there.

ˆ What methodical steps are necessary to develop such a concept?

Figures 4.3 and 4.4 show the answer to that question: system analysis, concept design, implementation and evaluation. Especially the system analysis requires detailed steps like information collection, Technological Map (TechMap) generation, application specic analysis and data cap-ture/ analysis.

ˆ Which limitations and constraints exist and how do they alter a possible concept?

The limits are set by practice and the respective application context. For example the availability of data sources can lead to dierent application specic manifestations of the template concept shown in gure 4.14. The developed architecture as shown in gure 4.12 also resulted from require-ments of practice, since these infrastructures are segmented. A monitoring concept has to be tailored to these requirements.

ˆ Which parameters inuence the quality of detection and which are modi-able?

The usage of dierent data sources in conjunction with dierent algorithms leads to a better detection performance. By using dierent data sources the quality of detection can be enhanced (as shown in section 5.2), since some attacks can only be detected by using the respective data source.

Furthermore detection algorithms inuence the quality strongly. By uti-lizing a service-based concept these can be interchanged according to the needs of the application context.

ˆ How can a possible concept be integrated within the heterogeneous infras-tructures?

The developed template concept was mirrored along the Automation Pyra-mid structure, which current ATIs are based on. Additionally the impact of real practical requirements to the concept like a small inuence to the process, segmentation, modularization, service-orientation and multi-layer

6.2. Conclusion preparedness ensure the applicability.

ˆ How to scale the possible concept depending on the need for each applica-tion?

The aforementioned arguments that guarantee an applicability to het-erogeneous infrastructures also ensure the scalability. The deployment concept shown in gure 5.1 of the reference implementation shows that dierent services can be run on various computing entities. The archi-tecture itself (see gure 4.12) and data-ow (see gure 5.2) enable the application for a broad variety of infrastructures. Bigger infrastructures with more segments require more embedded nodes and local computing nodes accordingly. The limits are set by existing network and computing technologies.

The developed concept is able to detect several dierent attack types which are unknown to the detection system, as shown in chapter 5 and is intended to work within for a broad variety of application contexts. The applicability is ensured by the combination of a template concept which can be exibly tailored using the presented methodology. Future research that puts forth novel approaches, algorithms or even data sources can be included in an uncomplicated manner.

6.2.1. Contributions of this thesis

This work analyzed current state of basic principles, threats, attack models and countermeasures for Automation Technology Infrastructures. The analysis re-vealed that especially countermeasures regarding a detection of anomalies are necessary and related works were not developed having requirements from prac-tical application contexts in mind. Therefore the need by operating companies for a methodology to develop a detection concept was addressed. This method-ology was utilized on basis of requirements and data of eleven real use cases from four Critical Infrastructures (CIs), six manufacturing companies and one aca-demic example. The resulting generalized concept can be used as template in conjunction with the methodology to generate application specic concepts much faster for new use-cases. A prototypical implementation was evaluated using requirements, attack scenarios taken from practice. The evaluation took place in a very realistic test-bed using real data captures from the respective ap-plication scenario. It was shown that a decision fusion of dierent detection services and data sources has a better detection performance compared to individual solutions.

Additionally, during experiments a new attack vector was found: the fastest wins (ref. to sec 5.2.4. This attack needs well calculated timing in conjunction with access to the subnet of the PLC. If aware of that, this scenario can not only be detected by the PCBAD algorithm, an easy way to detect it is monitoring of network parameters like typical bandwidth usage.

Furthermore the analysis, implementation and evaluation lead to several new ndings, which lead to new research questions.

6.2.2. Future work

These results mirror a snapshot of current conditions. The arms race of attack-ers and defendattack-ers [Schneier, 2014] leads to changing requirements over time.

Even if the presented methodology and the template concept were developed to be exible and applicable for a broad variety of application contexts it cannot be seen as valid for all times. Similar to a security process new requirements and changing conditions have to be adapted. A concept has to be changed ac-cordingly. The whole methodology of this work should be implemented into a process that can be repeated to react to changes iteratively. To apply the devel-oped security concept of the test-scenario in practice an iterative approach for the present methodology could be: a) conduct another iteration of the imple-mentation and evaluation for a better algorithmic basis, b) generate a prototype by implementing the best available algorithm for each service and c) apply it in a customers real-world scenario.

An example for the arms race is the so called malicious learning. [Ferrara et al., 2014] demonstrated how machines with trained algorithms can be outwitted.

They morphed two faces into one picture and both people gained access with these fabricated passports at automated border control machines used in air-ports. This approach shows that especially algorithms using machine learning components can be fooled. It is just a matter of time until an attacker discovers a loophole.

During this work further research questions arose though observations. These can form the basis of future work. The following questions resulted:

ˆ Do the attacks as developed with operators reect real attacks?

Attack scenarios this thesis is based on were developed with experts from operating companies. These scenarios demand highly skilled attackers with profound background knowledge. Is it like that in practice? To answer that question a well made honey-process emulating an entire in-frastructure has to be set up to generate basic research data of real attacks.

The works done for the BVVS could be a starting point.

ˆ Which algorithm performs best according to a specic data source?

A vast number of algorithms are available for pattern recognition pur-poses. Related work of this thesis only adopted a small amount of those compared to conventional Intrusion Detection Systems. Basic research to-wards this topic is enabled using the present methodology and test-bed.

The porting and implementation of further algorithms for evaluation can lead to profound statements toward comparability and performance.

ˆ Which fusion scheme performs best?

Fusion can be done on data, feature and decision level. The usage of dierent algorithms indicates decision fusion, but the other schemes were not tested. Furthermore dierent fusion algorithms can be evaluated too.

ˆ Which further data sources are available?

Other application contests may contain additional data sources, that were not part of the eleven analyzed ones. Furthermore existing data sources

6.2. Conclusion could be possibly split into further sub-categories. An example is network trac data source. It could be split into packets (header, data), proto-col, stats (bandwidth usage, etc.), communication patterns (which node communicates with another in which frequency,..).

ˆ Which services could be integrated into a PLC device?

CVS and SVS are parts of conventional HIDS. Due to lack of access to the closed platforms and additional performance and stability reasons these were developed to monitor PLC devices from distance. A vendor could integrate these services into the core functionality of these devices.

ˆ How can the auto-generation of causal models be enhanced?

The chosen approach for the PCBAD algorithm uses manual identica-tion of causalities. This is cumbersome and requires experts knowledge.

The automatic identication from process data shows promising, but still enhanceable results. Further research could lead to better models from auto-generation (ref. to appendix A.4).

ˆ How would a honey-process look like and perform?

The already mentioned approach to create a fake ATI that traps intruders for analysis purposes seem worth further researching. Resource eciency, scalability and portability seem to be requirements that have to be con-rmed.